KC 9.2.2 - COSO Enterprise Risk Management (ERM) Model

Internal Controls & ERM
  • "Management" owns I/C & ERM
  • Internal auditors & others provide information
  • "Internal Control" is broadly defined & includes ISO, TQM, process improvement, balanced scorecards, six sigma etc.
  • Enterprise Risk Management is broader than, and encompasses, I/C
  • One definition...
One Definition of IC & ERM
"COSO" stands for the Committee of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations are:
  • Institute of Internal Auditors (IIA)
  • American Institute of Certified Public Accountants (AICPA)
  • American Accounting Association (AAA)
  • Institute of Management Accountants (IMA)
  • Financial Executives Institute (FEI)
Later, COSO is also endorsed by GAO, Federal agencies & SEC.

The Internal Control (I/C) - Integrated framework was introduced in the year 1992 where as the Enterprise Risk Management (ERM) - Integrated framework was introduced as recently as 2004.

ERM Defintion
"Enterprise Risk Management is a process, enected by an entity's board od directors, management & other personnel, applied in strategy setting & across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

Objective Categories are:
  • Strategic - high level goals aligned with & supporting its mission
  • Operations - effective & efficient use of its resources
  • Reporting - reliablity of reporting
  • Compliance - Compliance with applicable laws & regulations
Definition of Internal Control
Internal Control is a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  • Effectiveness & efficiency of operations
  • Reliablity of financial reporting (SOX focus)
  • Compliance with applicable laws & regulations
Components of Internal Control
Control Environment - The core of any business is it peoplr - their individual attributes, including integrity, ethical values & competence - and the environement in which they operate. They are the engine that drives the entity and the foundation on which everything rests.
Risk Assessment - The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial and other activities so that the organization is operating in concert. It alsomust establish mechanisms to identify, analyze & manage related risks.
Control Activities - Control policies & procedures must be established and executed to help ensre that the actiuons identified by management as necessary to address risks to achievement of the entity's objectives are effectively carried out.
Information & Communication - Surrounding these activities are information & communication systems. These enable the entity's people to capture & exchange the information needed to condct, manage and control its operations.
Monitoring - The entire process must be monitored, and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.

Soft Controls vs Hard Controls
Hard controls tend to be
  • formal
  • objective
  • quantitatively measurable
  • the "map"
Soft controls tend to be
  • informal
  • subjective
  • intangible
  • the real terrain

COSO Internal Control - 3 dimensional representation


COSO Internal Control: ERM interaction

COSO Internal Control: ERM interaction

Effective I/C or ERM means
  • That management has a "flow of reliable information" about each component of control for all the objectives, from all areas of the organization.
  • COSO does not specify who shold provide what information, just that mangement should be receiving & acting on the info.
  • Many different sources, or flows of info exist in the organization
  • "Soft Controls" relate to ehe people doing the work to meet the objectives of the organization; "hard control" related the processes and activiteis those people do.
Limitations
  • Reasonable, but not absolute, assurance
  • Different levels of assurance for different objectives
  • The future is uncertain
  • Other limiting factors......
    • Judgement, breakdowns
    • Collusion, management override
    • Cost vs benefits
  • Not part of IC or ERM
    • The objectives selected to be achieved
    • The responses taken to the risks
Other thoughts on I/C & ERM
  • Controls for reliablity of financial reporting are mainly in finance areas (Financial)
  • Controls over effective and eficient opeations (operational) & compliance with laws & regulations (compliance) are mainly in operational areas
  • Discussing objectives, risks and responses is the most valuable part of ERM
  • Anyone can put together a list of risks and controls, but true ERM can only be done by those directly responsible for those objectives
  • The same "Soft Controls" in the COSO I/C framework also apply to the ERM framework. I/C is fully incorporated into ERM
  • ERM doesnt replace good management practices, doesnt replace setting the right objectives, & doesnt replace the business experience needed to have the right vision of where an organization should be heading.
  • The discussion about the risks "are the controls" - it's all about readiness for the unknown
Other Resources
  1. Enterprise Risk Management Framework - Executive Summary
  2. COSO - ERM official website
  3. COSO official website
  4. COSO & COBIT resources
  5. A Comparison of Internal Controls: COBIT, SAC, COSO and SAS 55/78

posted by Prasanna Kumar at 10:08 AM

0 Comments:

Post a Comment

<< Home